aboutsummaryrefslogtreecommitdiffstats
path: root/lib/arc.c
blob: fd4984548233c1de8f92a37ce062d8384cd56df4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223

/***************************************************************************\
*                                                                           *
*  BitlBee - An IRC to IM gateway                                           *
*  Simple (but secure) ArcFour implementation for safer password storage.   *
*                                                                           *
*  Copyright 2006 Wilmer van der Gaast <wilmer@gaast.net>                   *
*                                                                           *
*  This library is free software; you can redistribute it and/or            *
*  modify it under the terms of the GNU Lesser General Public               *
*  License as published by the Free Software Foundation, version            *
*  2.1.                                                                     *
*                                                                           *
*  This library is distributed in the hope that it will be useful,          *
*  but WITHOUT ANY WARRANTY; without even the implied warranty of           *
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU        *
*  Lesser General Public License for more details.                          *
*                                                                           *
*  You should have received a copy of the GNU Lesser General Public License *
*  along with this library; if not, write to the Free Software Foundation,  *
*  Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA           *
*                                                                           *
\***************************************************************************/

/* 
   This file implements ArcFour-encryption, which will mainly be used to
   save IM passwords safely in the new XML-format. Possibly other uses will
   come up later. It's supposed to be quite reliable (thanks to the use of a
   6-byte IV/seed), certainly compared to the old format. The only realistic
   way to crack BitlBee passwords now is to use a sniffer to get your hands
   on the user's password.
   
   If you see that something's wrong in this implementation (I asked a
   couple of people to look at it already, but who knows), please tell me.
   
   The reason I picked ArcFour is because it's pretty simple but effective,
   so it will work without adding several KBs or an extra library dependency.
   
   (ArcFour is an RC4-compatible cipher. See for details:
   http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt)
*/


#include <glib.h>
#include <gmodule.h>
#include <stdlib.h>
#include <string.h>
#include "misc.h"
#include "arc.h"

/* Add some seed to the password, to make sure we *never* use the same key.
   This defines how many bytes we use as a seed. */
#define ARC_IV_LEN 6

/* To defend against a "Fluhrer, Mantin and Shamir attack", it is recommended
   to shuffle S[] just a bit more before you start to use it. This defines how
   many bytes we'll request before we'll really use them for encryption. */
#define ARC_CYCLES 1024

struct arc_state *arc_keymaker( unsigned char *key, int kl, int cycles )
{
	struct arc_state *st;
	int i, j, tmp;
	unsigned char S2[256];
	
	st = g_malloc( sizeof( struct arc_state ) );
	st->i = st->j = 0;
	if( kl <= 0 )
		kl = strlen( (char*) key );
	
	for( i = 0; i < 256; i ++ )
	{
		st->S[i] = i;
		S2[i] = key[i%kl];
	}
	
	for( i = j = 0; i < 256; i ++ )
	{
		j = ( j + st->S[i] + S2[i] ) & 0xff;
		tmp = st->S[i];
		st->S[i] = st->S[j];
		st->S[j] = tmp;
	}
	
	memset( S2, 0, 256 );
	i = j = 0;
	
	for( i = 0; i < cycles; i ++ )
		arc_getbyte( st );
	
	return st;
}

/*
   For those who don't know, ArcFour is basically an algorithm that generates
   a stream of bytes after you give it a key. Just get a byte from it and
   xor it with your cleartext. To decrypt, just give it the same key again
   and start xorring.
   
   The function above initializes the byte generator, the next function can
   be used to get bytes from the generator (and shuffle things a bit).
*/

unsigned char arc_getbyte( struct arc_state *st )
{
	unsigned char tmp;
	
	/* Unfortunately the st-> stuff doesn't really improve readability here... */
	st->i ++;
	st->j += st->S[st->i];
	tmp = st->S[st->i];
	st->S[st->i] = st->S[st->j];
	st->S[st->j] = tmp;
	tmp = (st->S[st->i] + st->S[st->j]) & 0xff;
	
	return st->S[tmp];
}

/*
   The following two functions can be used for reliable encryption and
   decryption. Known plaintext attacks are prevented by adding some (6,
   by default) random bytes to the password before setting up the state
   structures. These 6 bytes are also saved in the results, because of
   course we'll need them in arc_decode().
   
   Because the length of the resulting string is unknown to the caller,
   it should pass a char**. Since the encode/decode functions allocate
   memory for the string, make sure the char** points at a NULL-pointer
   (or at least to something you already free()d), or you'll leak
   memory. And of course, don't forget to free() the result when you
   don't need it anymore.
   
   Both functions return the number of bytes in the result string.
   
   Note that if you use the pad_to argument, you will need zero-termi-
   nation to find back the original string length after decryption. So
   it shouldn't be used if your string contains \0s by itself!
*/

int arc_encode( char *clear, int clear_len, unsigned char **crypt, char *password, int pad_to )
{
	struct arc_state *st;
	unsigned char *key;
	char *padded = NULL;
	int key_len, i, padded_len;
	
	key_len = strlen( password ) + ARC_IV_LEN;
	if( clear_len <= 0 )
		clear_len = strlen( clear );
	
	/* Pad the string to the closest multiple of pad_to. This makes it
	   impossible to see the exact length of the password. */
	if( pad_to > 0 && ( clear_len % pad_to ) > 0 )
	{
		padded_len = clear_len + pad_to - ( clear_len % pad_to );
		padded = g_malloc( padded_len );
		memcpy( padded, clear, clear_len );
		
		/* First a \0 and then random data, so we don't have to do
		   anything special when decrypting. */
		padded[clear_len] = 0;
		random_bytes( (unsigned char*) padded + clear_len + 1, padded_len - clear_len - 1 );
		
		clear = padded;
		clear_len = padded_len;
	}
	
	/* Prepare buffers and the key + IV */
	*crypt = g_malloc( clear_len + ARC_IV_LEN );
	key = g_malloc( key_len );
	strcpy( (char*) key, password );
	
	/* Add the salt. Save it for later (when decrypting) and, of course,
	   add it to the encryption key. */
	random_bytes( crypt[0], ARC_IV_LEN );
	memcpy( key + key_len - ARC_IV_LEN, crypt[0], ARC_IV_LEN );
	
	/* Generate the initial S[] from the IVed key. */
	st = arc_keymaker( key, key_len, ARC_CYCLES );
	g_free( key );
	
	for( i = 0; i < clear_len; i ++ )
		crypt[0][i+ARC_IV_LEN] = clear[i] ^ arc_getbyte( st );
	
	g_free( st );
	g_free( padded );
	
	return clear_len + ARC_IV_LEN;
}

int arc_decode( unsigned char *crypt, int crypt_len, char **clear, char *password )
{
	struct arc_state *st;
	unsigned char *key;
	int key_len, clear_len, i;
	
	key_len = strlen( password ) + ARC_IV_LEN;
	clear_len = crypt_len - ARC_IV_LEN;
	
	if( clear_len < 0 )
	{
		*clear = g_strdup( "" );
		return 0;
	}
	
	/* Prepare buffers and the key + IV */
	*clear = g_malloc( clear_len + 1 );
	key = g_malloc( key_len );
	strcpy( (char*) key, password );
	for( i = 0; i < ARC_IV_LEN; i ++ )
		key[key_len-ARC_IV_LEN+i] = crypt[i];
	
	/* Generate the initial S[] from the IVed key. */
	st = arc_keymaker( key, key_len, ARC_CYCLES );
	g_free( key );
	
	for( i = 0; i < clear_len; i ++ )
		clear[0][i] = crypt[i+ARC_IV_LEN] ^ arc_getbyte( st );
	clear[0][i] = 0; /* Nice to have for plaintexts. */
	
	g_free( st );
	
	return clear_len;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-14 01:00:21 +0000
an>"iuml", "ï" }, { "ouml", "ö" }, { "uuml", "ü" }, { "nbsp", " " }, { "", "" } }; void strip_html( char *in ) { char *start = in; char out[strlen(in)+1]; char *s = out, *cs; int i, matched; int taglen; memset( out, 0, sizeof( out ) ); while( *in ) { if( *in == '<' && ( isalpha( *(in+1) ) || *(in+1) == '/' ) ) { /* If in points at a < and in+1 points at a letter or a slash, this is probably a HTML-tag. Try to find a closing > and continue there. If the > can't be found, assume that it wasn't a HTML-tag after all. */ cs = in; while( *in && *in != '>' ) in ++; taglen = in - cs - 1; /* not <0 because the above loop runs at least once */ if( *in ) { if( g_strncasecmp( cs+1, "b", taglen) == 0 ) *(s++) = '\x02'; else if( g_strncasecmp( cs+1, "/b", taglen) == 0 ) *(s++) = '\x02'; else if( g_strncasecmp( cs+1, "i", taglen) == 0 ) *(s++) = '\x1f'; else if( g_strncasecmp( cs+1, "/i", taglen) == 0 ) *(s++) = '\x1f'; else if( g_strncasecmp( cs+1, "br", taglen) == 0 ) *(s++) = '\n'; in ++; } else { in = cs; *(s++) = *(in++); } } else if( *in == '&' ) { cs = ++in; while( *in && isalpha( *in ) ) in ++; if( *in == ';' ) in ++; matched = 0; for( i = 0; *ent[i].code; i ++ ) if( g_strncasecmp( ent[i].code, cs, strlen( ent[i].code ) ) == 0 ) { int j; for( j = 0; ent[i].is[j]; j ++ ) *(s++) = ent[i].is[j]; matched = 1; break; } /* None of the entities were matched, so return the string */ if( !matched ) { in = cs - 1; *(s++) = *(in++); } } else { *(s++) = *(in++); } } strcpy( start, out ); } char *escape_html( const char *html ) { const char *c = html; GString *ret; char *str; if( html == NULL ) return( NULL ); ret = g_string_new( "" ); while( *c ) { switch( *c ) { case '&': ret = g_string_append( ret, "&amp;" ); break; case '<': ret = g_string_append( ret, "&lt;" ); break; case '>': ret = g_string_append( ret, "&gt;" ); break; case '"': ret = g_string_append( ret, "&quot;" ); break; default: ret = g_string_append_c( ret, *c ); } c ++; } str = ret->str; g_string_free( ret, FALSE ); return( str ); } /* Decode%20a%20file%20name */ void http_decode( char *s ) { char *t; int i, j, k; t = g_new( char, strlen( s ) + 1 ); for( i = j = 0; s[i]; i ++, j ++ ) { if( s[i] == '%' ) { if( sscanf( s + i + 1, "%2x", &k ) ) { t[j] = k; i += 2; } else { *t = 0; break; } } else { t[j] = s[i]; } } t[j] = 0; strcpy( s, t ); g_free( t ); } /* Warning: This one explodes the string. Worst-cases can make the string 3x its original size! */ /* This fuction is safe, but make sure you call it safely as well! */ void http_encode( char *s ) { char t[strlen(s)+1]; int i, j; strcpy( t, s ); for( i = j = 0; t[i]; i ++, j ++ ) { /* Warning: isalnum() is locale-aware, so don't use it here! */ if( ( t[i] >= 'A' && t[i] <= 'Z' ) || ( t[i] >= 'a' && t[i] <= 'z' ) || ( t[i] >= '0' && t[i] <= '9' ) || strchr( "._-~", t[i] ) ) { s[j] = t[i]; } else { sprintf( s + j, "%%%02X", ((unsigned char*)t)[i] ); j += 2; } } s[j] = 0; } /* Strip newlines from a string. Modifies the string passed to it. */ char *strip_newlines( char *source ) { int i; for( i = 0; source[i] != '\0'; i ++ ) if( source[i] == '\n' || source[i] == '\r' ) source[i] = ' '; return source; } /* Wrap an IPv4 address into IPv6 space. Not thread-safe... */ char *ipv6_wrap( char *src ) { static char dst[64]; int i; for( i = 0; src[i]; i ++ ) if( ( src[i] < '0' || src[i] > '9' ) && src[i] != '.' ) break; /* Hmm, it's not even an IP... */ if( src[i] ) return src; g_snprintf( dst, sizeof( dst ), "::ffff:%s", src ); return dst; } /* Unwrap an IPv4 address into IPv6 space. Thread-safe, because it's very simple. :-) */ char *ipv6_unwrap( char *src ) { int i; if( g_strncasecmp( src, "::ffff:", 7 ) != 0 ) return src; for( i = 7; src[i]; i ++ ) if( ( src[i] < '0' || src[i] > '9' ) && src[i] != '.' ) break; /* Hmm, it's not even an IP... */ if( src[i] ) return src; return ( src + 7 ); } /* Convert from one charset to another. from_cs, to_cs: Source and destination charsets src, dst: Source and destination strings size: Size if src. 0 == use strlen(). strlen() is not reliable for UNICODE/UTF16 strings though. maxbuf: Maximum number of bytes to write to dst Returns the number of bytes written to maxbuf or -1 on an error. */ signed int do_iconv( char *from_cs, char *to_cs, char *src, char *dst, size_t size, size_t maxbuf ) { GIConv cd; size_t res; size_t inbytesleft, outbytesleft; char *inbuf = src; char *outbuf = dst; cd = g_iconv_open( to_cs, from_cs ); if( cd == (GIConv) -1 ) return( -1 ); inbytesleft = size ? size : strlen( src ); outbytesleft = maxbuf - 1; res = g_iconv( cd, &inbuf, &inbytesleft, &outbuf, &outbytesleft ); *outbuf = '\0'; g_iconv_close( cd ); if( res == (size_t) -1 ) return( -1 ); else return( outbuf - dst ); } /* A pretty reliable random number generator. Tries to use the /dev/random devices first, and falls back to the random number generator from libc when it fails. Opens randomizer devices with O_NONBLOCK to make sure a lack of entropy won't halt BitlBee. */ void random_bytes( unsigned char *buf, int count ) { #ifndef _WIN32 static int use_dev = -1; /* Actually this probing code isn't really necessary, is it? */ if( use_dev == -1 ) { if( access( "/dev/random", R_OK ) == 0 || access( "/dev/urandom", R_OK ) == 0 ) use_dev = 1; else { use_dev = 0; srand( ( getpid() << 16 ) ^ time( NULL ) ); } } if( use_dev ) { int fd; /* At least on Linux, /dev/random can block if there's not enough entropy. We really don't want that, so if it can't give anything, use /dev/urandom instead. */ if( ( fd = open( "/dev/random", O_RDONLY | O_NONBLOCK ) ) >= 0 ) if( read( fd, buf, count ) == count ) { close( fd ); return; } close( fd ); /* urandom isn't supposed to block at all, but just to be sure. If it blocks, we'll disable use_dev and use the libc randomizer instead. */ if( ( fd = open( "/dev/urandom", O_RDONLY | O_NONBLOCK ) ) >= 0 ) if( read( fd, buf, count ) == count ) { close( fd ); return; } close( fd ); /* If /dev/random blocks once, we'll still try to use it again next time. If /dev/urandom also fails for some reason, stick with libc during this session. */ use_dev = 0; srand( ( getpid() << 16 ) ^ time( NULL ) ); } if( !use_dev ) #endif { int i; /* Possibly the LSB of rand() isn't very random on some platforms. Seems okay on at least Linux and OSX though. */ for( i = 0; i < count; i ++ ) buf[i] = rand() & 0xff; } } int is_bool( char *value ) { if( *value == 0 ) return 0; if( ( g_strcasecmp( value, "true" ) == 0 ) || ( g_strcasecmp( value, "yes" ) == 0 ) || ( g_strcasecmp( value, "on" ) == 0 ) ) return 1; if( ( g_strcasecmp( value, "false" ) == 0 ) || ( g_strcasecmp( value, "no" ) == 0 ) || ( g_strcasecmp( value, "off" ) == 0 ) ) return 1; while( *value ) if( !isdigit( *value ) ) return 0; else value ++; return 1; } int bool2int( char *value ) { int i; if( ( g_strcasecmp( value, "true" ) == 0 ) || ( g_strcasecmp( value, "yes" ) == 0 ) || ( g_strcasecmp( value, "on" ) == 0 ) ) return 1; if( ( g_strcasecmp( value, "false" ) == 0 ) || ( g_strcasecmp( value, "no" ) == 0 ) || ( g_strcasecmp( value, "off" ) == 0 ) ) return 0; if( sscanf( value, "%d", &i ) == 1 ) return i; return 0; } struct ns_srv_reply **srv_lookup( char *service, char *protocol, char *domain ) { struct ns_srv_reply **replies = NULL; #ifdef HAVE_RESOLV_A struct ns_srv_reply *reply = NULL; char name[1024]; unsigned char querybuf[1024]; const unsigned char *buf; ns_msg nsh; ns_rr rr; int i, n, len, size; g_snprintf( name, sizeof( name ), "_%s._%s.%s", service, protocol, domain ); if( ( size = res_query( name, ns_c_in, ns_t_srv, querybuf, sizeof( querybuf ) ) ) <= 0 ) return NULL; if( ns_initparse( querybuf, size, &nsh ) != 0 ) return NULL; n = 0; while( ns_parserr( &nsh, ns_s_an, n, &rr ) == 0 ) { size = ns_rr_rdlen( rr ); buf = ns_rr_rdata( rr ); len = 0; for( i = 6; i < size && buf[i]; i += buf[i] + 1 ) len += buf[i] + 1; if( i > size ) break; reply = g_malloc( sizeof( struct ns_srv_reply ) + len ); memcpy( reply->name, buf + 7, len ); for( i = buf[6]; i < len && buf[7+i]; i += buf[7+i] + 1 ) reply->name[i] = '.'; if( i > len ) { g_free( reply ); break; } reply->prio = ( buf[0] << 8 ) | buf[1]; reply->weight = ( buf[2] << 8 ) | buf[3]; reply->port = ( buf[4] << 8 ) | buf[5]; n ++; replies = g_renew( struct ns_srv_reply *, replies, n + 1 ); replies[n-1] = reply; } if( replies ) replies[n] = NULL; #endif return replies; } void srv_free( struct ns_srv_reply **srv ) { int i; if( srv == NULL ) return; for( i = 0; srv[i]; i ++ ) g_free( srv[i] ); g_free( srv ); } /* Word wrapping. Yes, I know this isn't UTF-8 clean. I'm willing to take the risk. */ char *word_wrap( const char *msg, int line_len ) { GString *ret = g_string_sized_new( strlen( msg ) + 16 ); while( strlen( msg ) > line_len ) { int i; /* First try to find out if there's a newline already. Don't want to add more splits than necessary. */ for( i = line_len; i > 0 && msg[i] != '\n'; i -- ); if( msg[i] == '\n' ) { g_string_append_len( ret, msg, i + 1 ); msg += i + 1; continue; } for( i = line_len; i > 0; i -- ) { if( msg[i] == '-' ) { g_string_append_len( ret, msg, i + 1 ); g_string_append_c( ret, '\n' ); msg += i + 1; break; } else if( msg[i] == ' ' ) { g_string_append_len( ret, msg, i ); g_string_append_c( ret, '\n' ); msg += i + 1; break; } } if( i == 0 ) { g_string_append_len( ret, msg, line_len ); g_string_append_c( ret, '\n' ); msg += line_len; } } g_string_append( ret, msg ); return g_string_free( ret, FALSE ); } gboolean ssl_sockerr_again( void *ssl ) { if( ssl ) return ssl_errno == SSL_AGAIN; else return sockerr_again(); } /* Returns values: -1 == Failure (base64-decoded to something unexpected) 0 == Okay 1 == Password doesn't match the hash. */ int md5_verify_password( char *password, char *hash ) { md5_byte_t *pass_dec = NULL; md5_byte_t pass_md5[16]; md5_state_t md5_state; int ret = -1, i; if( base64_decode( hash, &pass_dec ) == 21 ) { md5_init( &md5_state ); md5_append( &md5_state, (md5_byte_t*) password, strlen( password ) ); md5_append( &md5_state, (md5_byte_t*) pass_dec + 16, 5 ); /* Hmmm, salt! */ md5_finish( &md5_state, pass_md5 ); for( i = 0; i < 16; i ++ ) { if( pass_dec[i] != pass_md5[i] ) { ret = 1; break; } } /* If we reached the end of the loop, it was a match! */ if( i == 16 ) ret = 0; } g_free( pass_dec ); return ret; } /* Split commands (root-style, *not* IRC-style). Handles "quoting of" white\ space in 'various ways'. Returns a NULL-terminated static char** so watch out with nested use! Definitely not thread-safe. */ char **split_command_parts( char *command ) { static char *cmd[IRC_MAX_ARGS+1]; char *s, q = 0; int k; memset( cmd, 0, sizeof( cmd ) ); cmd[0] = command; k = 1; for( s = command; *s && k < IRC_MAX_ARGS; s ++ ) if( *s == ' ' && !q ) { *s = 0; while( *++s == ' ' ); if( *s == '"' || *s == '\'' ) { q = *s; s ++; } if( *s ) { cmd[k++] = s; s --; } else { break; } } else if( *s == '\\' && ( ( !q && s[1] ) || ( q && q == s[1] ) ) ) { char *cpy; for( cpy = s; *cpy; cpy ++ ) cpy[0] = cpy[1]; } else if( *s == q ) { q = *s = 0; } /* Full zero-padding for easier argc checking. */ while( k <= IRC_MAX_ARGS ) cmd[k++] = NULL; return cmd; }
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-14 01:00:21 +0000